topic Re: Measure CPS practically in General Topicshttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312962#M80857
<P><LI-USER uid="44973"></LI-USER>,</P><P>You'll want to do a MIB walk to get the other OID values.&nbsp;</P>Wed, 26 Feb 2020 03:42:26 GMTBPry2020-02-26T03:42:26ZMeasure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/310927#M80503
<P>Hi Guys,</P><P>We have PAN VM 300. To implement Zone Protection, we want to measure CPS. Now we dont have Panorama and dont do firewall monitoring with any tool.</P><P>Now the admin guide&nbsp;suggests that:</P><DIV><UL><LI><DIV><DIV class="p"><DIV>Use third-party tools such as Wireshark or NetFlow to collect and analyze network traffic.</DIV></DIV></DIV></LI><LI><DIV><DIV class="p"><DIV>Use scripts to automate CPS information collection and continuous monitoring, and to mine information from the logs.</DIV></DIV></DIV></LI></UL></DIV><P>These statements are a bit vague and there are no further steps / description.</P><P>&nbsp;</P><P>Has anyone done this? Is there any further information / steps which can help me measure CPS efficiently?</P><P>&nbsp;</P><P>Thanks!</P>Thu, 13 Feb 2020 01:08:16 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/310927#M80503rjdahav1632020-02-13T01:08:16ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/310938#M80505
<P><LI-USER uid="44973"></LI-USER>,</P><P>So generally I use SNMP to read the MIB values for the active TCP UDP and OtherIP values, because honestly this is going to be easiest. There are plenty of free tools available, regardless of operating system, that will let you pull these via SNMP and setup polling. You absolutely don't&nbsp;<STRONG>need</STRONG> to spend any money to do this. You could automate collection of the same values via the API or Python or whatever, but based off of your question I'm going to assume that this is off the table.&nbsp;</P><P>&nbsp;</P><P>The thing to remember with ZP or DoS profiles is that you don't actually&nbsp;<STRONG>need</STRONG> to get it right first time go; take an educated guess and work off of that. Set the Alarm Rate on everything to what you think would actually be a reasonable amount; and then kick up the Activate and Maximum values to something you know you'll never hit in a million years.&nbsp;</P><P>When the Alarm Rate is hit, it will generate a threat log entry with the subtype of flood. As long as you don't hit your Activate or Maximum values, nothing adverse is going to happen. Utilize these alerts to fine tune what your realistic values need to actually be for the Alarm rate. Once you have the alarm rate nailed down, then adjust your Activate and Maximum values using your Alarm rate as a baseline.&nbsp;&nbsp;</P>Thu, 13 Feb 2020 03:02:25 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/310938#M80505BPry2020-02-13T03:02:25ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/311286#M80567
<P>Not sure if this is still being updated/supported, but you can try the&nbsp;Pan(w)achrome Chrome plugin.</P>Fri, 14 Feb 2020 19:33:32 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/311286#M80567jambulo2020-02-14T19:33:32ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312549#M80812
<P><LI-USER uid="43480"></LI-USER>&nbsp;</P><P>&nbsp;</P><P>Thanks for your response.</P><P>&nbsp;</P><P>Ok I am trying to use our SNMP tool with the OID&nbsp;1.3.6.1.4.1.25461.2.1.2.3.10 for&nbsp;PanZoneActiveTcpCps.</P><P>Similarly other for other two&nbsp;PanZoneActiveUdpCps and PanZoneOtherIpCps.</P><P>&nbsp;</P><P>What OIDs did you use?</P><P>&nbsp;</P><P>Thanks!</P>Mon, 24 Feb 2020 04:31:25 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312549#M80812rjdahav1632020-02-24T04:31:25ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312550#M80813
<P><LI-USER uid="7542"></LI-USER>&nbsp;- Thanks will try that out as well.</P>Mon, 24 Feb 2020 04:31:51 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312550#M80813rjdahav1632020-02-24T04:31:51ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312959#M80854
<P>Any idea here guys?</P><P>&nbsp;</P><P><LI-USER uid="43480"></LI-USER>&nbsp;?</P>Wed, 26 Feb 2020 03:19:54 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312959#M80854rjdahav1632020-02-26T03:19:54ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312962#M80857
<P><LI-USER uid="44973"></LI-USER>,</P><P>You'll want to do a MIB walk to get the other OID values.&nbsp;</P>Wed, 26 Feb 2020 03:42:26 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/312962#M80857BPry2020-02-26T03:42:26ZRe: Measure CPS practicallyhttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/314732#M81148
<P>Where can I see alarm log when the CPS is reach at Alarm rate ?&nbsp; &nbsp;</P><P>Monitor &gt; logs &gt; threat ? or Monitor &gt; logs &gt; Alarm ?</P><P>&nbsp;</P><P>If we have same value at Alarm and Activate and We have set to RED , then After CPS are reached at value , we will got alarm trigger log and then all packets are drop including all legitimate packets ?</P><P>&nbsp;</P><P>Am I right ?</P><P>&nbsp;</P><P>&nbsp;</P>Thu, 05 Mar 2020 17:17:50 GMThttps://live.paloaltonetworks.com/t5/general-topics/measure-cps-practically/m-p/314732#M81148JeffKim2020-03-05T17:17:50Z